Matt Jonkman wrote:
> I don't think we can count on the IPs remaining static, nor the ports.
> So I think we'll have to for now rely on the version check sig.
This may also change. The easiest thing to do is probably not letting
users install skype if you don't want it to be used (it's easier than
maintaining 5 or 10 snort signatures)
I guess too the address and ports will chage sometime, my original post
suggested replacing the ip addresses with their associated netblocks
(unfortunatly, my del key seems too close to my send button).
Skype (version 0.9 ?) was analized by
http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
One of the login or bootstrap server was at 80.160.91.11 ( this netblock
is still in use by skype, but not for login. port 33033 was already used)
It uses STUN for nat & firewall traversal. Could be a way to sniff its
presence ?
10 sigs for skype detection seems overkill, so relying only on "Skype
VOIP Checking Version" is probably fine in most cases, especially since
there are competitors on this new market (a new .com economy story
candidate ?).
alert ip $HOME_NET any -> [195.215.8.128/24 or 80.160.88.0/22 or
212.72.49.128/27] any (msg:"BLEEDING-EDGE P2P VOIP Skype VoIP ip";
classtype:policy-violation; sid:9999995; rev:1;)
alert tcp $HOME_NET any -> any 33033 (msg:"BLEEDING-EDGE P2P VOIP Skype
VoIP Login"; classtype:policy-violation; sid:9999996; rev:1;)
alert udp $HOME_NET any -> any 33033 (msg:"BLEEDING-EDGE P2P VOIP Skype
VoIP Login"; classtype:policy-violation; sid:9999997; rev:1;)
alert tcp $HOME_NET any -> any 12350 (msg:"BLEEDING-EDGE P2P VOIP Skype
VoIP Event"; classtype:policy-violation; sid:9999998; rev:1;)
alert tcp $HOME_NET any -> any 12350 (msg:"BLEEDING-EDGE P2P VOIP Skype
VoIP Event"; classtype:policy-violation; sid:9999999; rev:1;)
>>> I'd say remove it, and instead rely on the "Skype VOIP Checking
>>> Version"
>>
It looks like the false+ was some ssl/tls messages. As skype knows most
parameters (enc. scheme, certs,...) I guess they removed the negotiation
from their protocol (why use a dynamic protocol in a static
environmentt). They probably only exchange random params (such as the dh
keys)
It looks like the messages now begins with "|xx030100|", xx being
"|1x|". A sig candidate could be:
alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P VOIP Skype VoIP
030100";content: "|030100|"; offset: 1; depth: 4;
classtype:policy-violation; sid:9999999; rev:1;)
I guess it will false+ a lot.